When we build databases, we tend to not pay too much attention to the country of origin of customer information, but in future we may have to.
I refer you to the Massachusetts Data Privacy Law 201 CMR 17, which broadly says: if there is any information kept on a Massachusetts resident, whenever it is personally identifiable information (PII), then it needs to be transmitted encrypted. Further to that, any PII must be stored encrypted in the database in which it resides!
PII is defined as being the first and last name and any one of a small number of pieces of information that enable a person to be individually identified e.g. drivers licence number, passport number, etc.
The fines are $US5000 / offence!!! Seems slightly high, but in the litigious environment of the USA it might be necessary to protect the state from litigation from not protecting the rights of their residents.
I’m sure there are state vs. federal law issues here, but it would be interesting to see how far reaching this could be? Is it possible that the State of Massachusetts could force the USA to fine companies in other countries?
The future of databases is clear … if in doubt encrypt!